Show filters
10 Total Results
Displaying 1-10 of 10
Sort by:
Attacker Value
Unknown

CVE-2023-2110

Disclosure Date: August 19, 2023 (last updated October 08, 2023)
Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Obsidian, or copies text from a malicious webpage and paste it into Obsidian.
Attacker Value
Unknown

CVE-2023-33244

Disclosure Date: May 20, 2023 (last updated October 08, 2023)
Obsidian before 1.2.2 allows calls to unintended APIs (for microphone access, camera access, and desktop notification) via an embedded web page.
Attacker Value
Unknown

CVE-2023-27035

Disclosure Date: May 01, 2023 (last updated October 08, 2023)
An issue discovered in Obsidian Canvas 1.1.9 allows remote attackers to send desktop notifications, record user audio and other unspecified impacts via embedded website on the canvas page.
Attacker Value
Unknown

CVE-2023-24044

Disclosure Date: January 22, 2023 (last updated November 08, 2023)
A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. NOTE: the vendor's position is "the ability to use arbitrary domain names to access the panel is an intended feature."
Attacker Value
Unknown

CVE-2022-45130

Disclosure Date: November 10, 2022 (last updated December 22, 2024)
Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are identified by names ("Obsidian"), not numbers.
Attacker Value
Unknown

CVE-2022-36450

Disclosure Date: July 25, 2022 (last updated October 07, 2023)
Obsidian 0.14.x and 0.15.x before 0.15.5 allows obsidian://hook-get-address remote code execution because window.open is used without checking the URL.
Attacker Value
Unknown

CVE-2021-42057

Disclosure Date: November 04, 2021 (last updated February 23, 2025)
Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases.
Attacker Value
Unknown

CVE-2021-35976

Disclosure Date: September 10, 2021 (last updated February 23, 2025)
The feature to preview a website in Plesk Obsidian 18.0.0 through 18.0.32 on Linux is vulnerable to reflected XSS via the /plesk-site-preview/ PATH, aka PFSI-62467. The attacker could execute JavaScript code in the victim's browser by using the link to preview sites hosted on the server. Authentication is not required to exploit the vulnerability.
Attacker Value
Unknown

CVE-2021-38148

Disclosure Date: August 07, 2021 (last updated November 28, 2024)
Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs.
Attacker Value
Unknown

CVE-2020-11583

Disclosure Date: August 03, 2020 (last updated February 21, 2025)
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.